25 October 2013
With today's Datomic release, you can use IAM roles to manage permissions when running in AWS.
Motivation
Datomic's AWS support has been designed according to the
principle of least privilege. When running in AWS, a Datomic transactor or peer needs only the minimum permissions necessary to communicate with various AWS services. These permissions are documented in
Setting Up Storage Services.
But you still need some way to
install these minimal permissions on ephemeral virtual hardware. Early versions of AWS left this problem to the developer. Solutions were tedious and ad hoc, but more important they were risky. Leaving every application developer the task of
passing credentials around is a recipe for credentials
lying around in a hundred different places (or even checked into source code repositories.)
IAM roles provide a generic solution to this problem. From the
FAQ: "An IAM role allows you to delegate access, with defined permissions, to trusted entities
without having to share long term access keys"
(emphasis added). From a developer perspective, IAM roles get credentials out of your application code.
Implementation
Starting with version 0.9.4314, Datomic supports IAM roles as the default mechanism for conveying credentials in AWS. What does this mean for developers?
- If you are configuring Datomic for the first time, the setup instructions will secure peers and transactors using IAM roles.
- If you have an existing Datomic installation and want to upgrade to roles, Migrating to IAM Roles will walk you through the process.
- Using explicit credentials in transactor properties and in connection URIs is deprecated, but will continue to work. Your existing deployments will not break.
IAM roles make your application both easier to manage and more secure. Use them.
